Listen to this Post
The vulnerability exists in Astro’s `defineScriptVars` function (packages/astro/src/runtime/server/render/util.ts lines 42-53). It sanitizes values injected into inline `` (no `i` flag), whitespace before `>` like `` (the tokenizer enters “before attribute name” state), and self‑closing slash like `` (self‑closing start tag state). `JSON.stringify()` does not escape <, >, or `/` characters, so malicious input passes through unchanged. The execution flow: user‑controlled input (e.g., Astro.url.searchParams) → assigned to a variable → passed via `define:vars` on a `
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent may adversely affect certain features and functions.
We do not sell your personal data. If you wish to exercise your rights under applicable privacy laws, please visit our Do Not Sell My Personal Information page.